Reported

June 11, 2026

Issued

June 11, 2026

Package

pyo3 (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Keywords

#out-of-bounds-read #integer-overflow

References

• https://github.com/PyO3/pyo3/pull/6086

Patched

• >=0.29.0

Unaffected

• <0.24.0

Affected Functions

Version

pyo3::types::list::BoundListIterator::nth

• >=0.24.0, <0.29.0

pyo3::types::list::BoundListIterator::nth_back

• >=0.24.0, <0.29.0

pyo3::types::tuple::BoundTupleIterator::nth

• >=0.24.0, <0.29.0

pyo3::types::tuple::BoundTupleIterator::nth_back

• >=0.24.0, <0.29.0

Description

PyO3 0.24.0 added optimized implementations of Iterator::nth and DoubleEndedIterator::nth_back for the BoundListIterator and BoundTupleIterator types. These implementations computed the target index using unchecked usize addition (index + n) before bounds-checking against the sequence length, then read the element via get_item_unchecked.

In nth methods, a sufficiently large n (combined with a non-zero internal index) could cause the addition to overflow and wrap around, producing a small "target index" that passed the bounds check and enabling reads at the front of the list or tuple of elements previously yielded by the iterator.

In nth_back methods, a sufficiently large n could cause underflow in a similar fashion, however would instead allow reads of arbitrary memory past the end of the list or tuple storage.

PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow.

Advisory available under CC0-1.0 license.